Back in August 2022, the Vietnamese security company GTSC was the first one to discover that Microsoft Exchange had vulnerabilities.
Starting in early August 2022, these two zero-day vulnerabilities had been exploited by the attackers to attack their customers’ environments.
The two vulnerabilities identified are as follows:-
- CVE-2022-41040: It is a Server-Side Request Forgery (SSRF) vulnerability with 8.8 severity score out of 10.
- CVE-2022-41082: This flaw allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. And this flaw has achived a score of 6.3 out of 10.
Based on recent reports, Microsoft is aware of a limited number of targeted attacks used to breach users’ systems by exploiting these vulnerabilities.
In order to exploit either of the two vulnerabilities successfully, an attacker would need to have access to an Exchange Server that is vulnerable.
Microsoft Exchange Server 2013, 2016, and 2019 are all affected by these vulnerabilities which have an impact on on-premises deployments.
By exploiting these vulnerabilities successfully, hackers are able to accomplish the following things:-
- Infiltrate the victim’s computer system
- Obtain a web shell and install it
- Travel in a sideways direction through the compromised network
While apart from this, Microsoft has claimed that they are steadily working to release a fix as soon as possible. However, there are protections built into Microsoft Exchange Online that enable customers to be protected from risks like these.
To ensure the safety of its customers, Microsoft will respond accordingly, since Microsoft is constantly observing all these detections for any malicious activity.
The current mitigation method for Exchange Server concerns the addition of a blocking rule which does the following:-
IIS Manager -> Default Web Site -> URL Rewrite -> Actions
As a result, known attack patterns are blocked in order to prevent attacks from occurring.
There is as yet no information on the technical details about the security holes that were exploited before the release of the fixes, as the company declined to comment on it.